2026-06-24 10:58:19 +02:00
1 changed files with 94 additions and 0 deletions
--- a/packaging/mother/MOTHER-SETUP.md
+++ b/packaging/mother/MOTHER-SETUP.md
@ -89,6 +89,100 @@ sudo ./packaging/mother/setup-mother.sh
 Idempotent — running again is a no-op.
 ## First-run checklist (osa)
 Run through this the **first** time you deploy on osa (or any new mother).
 Most of it is `setup-mother.sh`; the checks around it catch the things that
 can't be validated until a real PostgreSQL + FreeBSD host is in front of you.
 **1. Build 0.12 on FreeBSD from current `main` (provenance).**
 Binaries built on Linux will not run on osa. Build and gate on the host:
 ```sh
 cd /home/clawdie/ai/colibri
 git fetch origin && git checkout main && git merge --ff-only origin/main
 ./scripts/ci-checks.sh            # fmt, clippy -D warnings, tests — must be green
 cargo build --workspace --release
 ```
 **2. Before installing — note any pre-existing (possibly unsafe) tool.**
 An older `node-register-mcp` may already sit in `/usr/local/bin` from an earlier
 copy. `setup-mother.sh` overwrites it, but record what was there:
 ```sh
 ls -l /usr/local/bin/node-register-mcp 2>/dev/null || echo "(none installed yet)"
 ```
 **3. Run the canonical setup.** Copy the printed private key straight to the
 node seed (step 8) — do not leave it in shell scrollback or a logged session.
 ```sh
 sudo ./packaging/mother/setup-mother.sh
 ```
 **4. The installed `node-register-mcp` is the hardened version.**
 The safe tool uses parameterized `psql -v :'var'` against `hive_nodes`; the old
 one used `E'${...}'` string interpolation (SQL-injectable). Verify:
 ```sh
 grep -c "E'"        /usr/local/bin/node-register-mcp   # expect 0
 grep -c hive_nodes  /usr/local/bin/node-register-mcp   # expect > 0
 ```
 **5. The schema migrated, data preserved.** On an existing DB, `usb_nodes`
 should be renamed to `hive_nodes` (not duplicated), with the `node_type` column:
 ```sh
 sudo -u postgres psql -d mother_hive -c "SELECT to_regclass('public.usb_nodes')"   # expect (null)
 sudo -u postgres psql -d mother_hive -c "SELECT to_regclass('public.hive_nodes')"  # expect hive_nodes
 sudo -u postgres psql -d mother_hive -c "\d hive_nodes" | grep node_type            # column present
 ```
 **6. Peer auth works for the `colibri` role.** This is what `node-register-mcp`
 relies on (no password):
 ```sh
 sudo -u colibri psql -d mother_hive -c "SELECT hostname, node_type, status FROM hive_nodes;"
 ```
 If it errors with an auth failure, confirm the peer rule landed **and precedes**
 any generic `local all all` line (pg_hba is first-match):
 ```sh
 HBA=$(sudo -u postgres psql -tAc 'SHOW hba_file'); sudo grep -n 'mother_hive .*colibri .*peer' "$HBA"
 ```
 **7. External MCP registry has all three servers** (jq-merge preserved any
 existing entries):
 ```sh
 jq '.servers | keys' /usr/local/etc/colibri/external-mcp.json
 # expect: build-colibri (mother-build) / geodesic-dome / node-register present
 ```
 **8. The SSH forced-command boundary allowlists.** A non-allowlisted command
 must be rejected, not run:
 ```sh
 ssh colibri@localhost 'rm -rf /'   # expect: rejected (exit 1), nothing runs
 ssh colibri@localhost tools        # expect: MCP tool list
 ```
 **9. Daemon picked up the env and is live:**
 ```sh
 grep -E 'COLIBRI_AUTOSPAWN|COLIBRI_MCP_EXTERNAL_CALL' /usr/local/etc/colibri/provider.env
 service colibri_daemon status
 ```
 **10. End-to-end (optional, with a real DEEPSEEK key present):** register a
 sample node and confirm the `derive_capabilities()` trigger populated
 `capabilities` — see the [Verification](#verification) section below.
 **11. Key hygiene:** the mother-mcp private key from step 3 is on the node seed
 (`CLAWDIESEED/colibri/ssh/mother-mcp`) and nowhere else persistent. See
 [Key management](#key-management).
 ## Key management
 The mother-mcp key is NOT baked into images. It lives: